PCAP Timestamp Decoder enables users to decode the timestamps applied by the Arista 7150 series switches.

• Python 2.6 or later: http://www.python.org/
• dpkt: http://code.google.com/p/dpkt/

In order to install PCAP Timestamp Decoder, copy 'pcaptd' to your filesystem.

Then define the mapping between the device id (in the key frames) and the VLANs corresponding to the packets timestamped through that device in the highlighted section below (at the beginning of the script).

Once the mapping is configured, the PCAP Timestamp Decoder can then be started using:

(bash:root)# <path-to-script>/pcaptd [<options>] <input_pcap>

In order to show UTC decode details, use the '--utc-details' option. By default, stats are sent to stdout. In order to print them to a file, use the '--write-details-to-file' option (this is recommended for large input pcap files).

The following options can be used in order to control the details generated by the script:

  -d, --delta           show delta between consecutive packets
  -f, --fcs             input pcap includes FCS
  -p, --pcap-timestamps show pcap timestamps
  -r, --recover-utc     show UTC time
  -s, --src-ip          show source IP
  -t, --ticks           show hw timestamps as ticks

The 'Notes' column can have one of the following values:
 - R:       rollover
 - KEY:     key frame

The script can create a new pcap file, identical with the input one, except that the timestamp in the pcap is replaced by the decoded UTC value. In order to enable this behaviour please use the '--output-file' option. Note that the entries which cannot be decoded will show up with a timestamp of 0 in the output file. Moreover, note that the timestamp format of the new pcap file is using nanosecond precision; this means that older versions of Whireshark (earlier than 1.0.5 ) might not be able to decode it. For more on this, see:

http://wiki.wireshark.org/Development/LibpcapFileFormat

Version 4.0 has been developed and tested against Python 2.7 on MacOS, but should work on any other operating system supporting Python 2.6 or later. Please reach out to [email protected] for assistance if needed.

The tool tries to detect a counter rollover (by checking if a subsequent timestamp has a lower tick value than it predecessor). However, this mechanism does not uncover periods where the inter-timestamp delta is > 6.15s. This can result in undetected rollovers, if:

6.15s < delta < (2 * 6.15 - previous timestamp)

Multiple rollovers cannot be tracked and may go undetected.

When the '--output-file' option is used, the resulting file's timestamp accuracy will be microseconds. This is because libpcap does not support nanosecond precision. If nanosecond precision is desired, use the '--utc-details' option.

One or two keyframes in advance are required for decoding UTC in a packet. If they are not available, then decoding the timestamp in packets might not be possible.

The decoder assumes that the timestamp is located in the last four bytes of the frame. If the input file includes the Ethernet FCS (typically stripped by the NIC driver) this will result in parsing the wrong part of the frame as the timestamp. Use the --fcs option to ignore the last four bytes and consider the previous bytes as timestamp.

BSD-3, See LICENSE file